From: sales@[victimdomain].comThe spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:
Date: 30 October 2012 22:33
Subject: Employment opportunity
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.
If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.
Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).
Region: United Kingdom.
Please note that there are no startup fees or deposits to start working for us.
To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
Lavern E. Davis
Lavern Davis firstname.lastname@example.org
816-680-7849 fax: 816-680-7331
4218 White Oak Drive
Strasburg MO 64090
The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 184.108.40.206 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:
Vivian L Resnick
221 Shaker Road
Northfield, NH 03276-4444
zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 220.127.116.11 which appears to be a hacked US military server at Fort Huachuca:
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Assignment
OrgName: Headquarters, USAISC
Address: NETC-ANC CONUS TNOSC
City: Fort Huachuca
You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.
This IP address also hosts a suspicious domain called trabalharpt.com:
Samantha K. Haley
Samantha Haley email@example.com
+1.8127473193 fax: +1.8127473193
778 Heliport Loop
Blue Ash IN 45242
Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.
There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.